Add DynamoDB permission test

Author: KodaiD

.github/workflows/permission-check.yaml

@@ -86,3 +86,32 @@ jobs:
         with:
           name: cassandra_3.11_permission_integration_test_reports
           path: core/build/reports/tests/integrationTestCassandraPermission
+
+  integration-test-permission-dynamo:
+    name: DynamoDB Permission Integration Test
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up JDK ${{ env.JAVA_VERSION }} (${{ env.JAVA_VENDOR }})
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ env.JAVA_VERSION }}
+          distribution: ${{ env.JAVA_VENDOR }}
+
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v4
+
+      - name: Execute Gradle 'integrationTestDynamoPermission' task
+        run: ./gradlew integrationTestDynamoPermission
+        env:
+          DYNAMO_ACCESS_KEY_ID: ${{ secrets.DYNAMO_ACCESS_KEY }}
+          DYNAMO_SECRET_ACCESS_KEY: ${{ secrets.DYNAMO_SECRET_ACCESS_KEY }}
+
+      - name: Upload Gradle test reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: dynamo_permission_integration_test_reports
+          path: core/build/reports/tests/integrationTestDynamoPermission

core/build.gradle

@@ -45,6 +45,9 @@ sourceSets {
             srcDir file('src/integration-test/java')
             include '**/com/scalar/db/common/*.java'
             include '**/com/scalar/db/storage/dynamo/*.java'
+            exclude '**/com/scalar/db/storage/dynamo/DynamoPermissionTestUtils.java'
+            exclude '**/com/scalar/db/storage/dynamo/DynamoPermissionIntegrationTest.java'
+            exclude '**/com/scalar/db/storage/dynamo/DynamoAdminPermissionIntegrationTest.java'
         }
         resources.srcDir file('src/integration-test/resources')
     }
@@ -84,6 +87,20 @@ sourceSets {
         }
         resources.srcDir file('src/integration-test/resources')
     }
+    integrationTestDynamoPermission {
+        java {
+            compileClasspath += main.output + test.output
+            runtimeClasspath += main.output + test.output
+            srcDir file('src/integration-test/java')
+            include '**/com/scalar/db/common/*.java'
+            include '**/com/scalar/db/storage/dynamo/DynamoPermissionTestUtils.java'
+            include '**/com/scalar/db/storage/dynamo/DynamoAdminTestUtils.java'
+            include '**/com/scalar/db/storage/dynamo/DynamoEnv.java'
+            include '**/com/scalar/db/storage/dynamo/DynamoPermissionIntegrationTest.java'
+            include '**/com/scalar/db/storage/dynamo/DynamoAdminPermissionIntegrationTest.java'
+        }
+        resources.srcDir file('src/integration-test/resources')
+    }
 }
 
 configurations {
@@ -108,6 +125,9 @@ configurations {
     integrationTestCassandraPermissionImplementation.extendsFrom testImplementation
     integrationTestCassandraPermissionRuntimeOnly.extendsFrom testRuntimeOnly
     integrationTestCassandraPermissionCompileOnly.extendsFrom testCompileOnly
+    integrationTestDynamoPermissionImplementation.extendsFrom testImplementation
+    integrationTestDynamoPermissionRuntimeOnly.extendsFrom testRuntimeOnly
+    integrationTestDynamoPermissionCompileOnly.extendsFrom testCompileOnly
 }
 
 dependencies {
@@ -120,6 +140,8 @@ dependencies {
     implementation platform("software.amazon.awssdk:bom:${awssdkVersion}")
     implementation 'software.amazon.awssdk:applicationautoscaling'
     implementation 'software.amazon.awssdk:dynamodb'
+    implementation 'software.amazon.awssdk:iam'
+    implementation 'software.amazon.awssdk:iam-policy-builder'
     implementation "org.apache.commons:commons-dbcp2:${commonsDbcp2Version}"
     implementation "com.mysql:mysql-connector-j:${mysqlDriverVersion}"
     implementation "org.postgresql:postgresql:${postgresqlDriverVersion}"
@@ -231,6 +253,17 @@ task integrationTestCassandraPermission(type: Test) {
     }
 }
 
+task integrationTestDynamoPermission(type: Test) {
+    description = 'Runs the integration tests for DynamoDB permissions.'
+    group = 'verification'
+    testClassesDirs = sourceSets.integrationTestDynamoPermission.output.classesDirs
+    classpath = sourceSets.integrationTestDynamoPermission.runtimeClasspath
+    outputs.upToDateWhen { false }  // ensures integration tests are run every time when called
+    options {
+        systemProperties(System.getProperties().findAll { it.key.toString().startsWith("scalardb") })
+    }
+}
+
 spotless {
     java {
         target 'src/*/java/**/*.java'

core/src/integration-test/java/com/scalar/db/storage/dynamo/DynamoAdminPermissionIntegrationTest.java

@@ -0,0 +1,62 @@
+package com.scalar.db.storage.dynamo;
+
+import static com.scalar.db.storage.dynamo.DynamoPermissionTestUtils.SLEEP_BETWEEN_TESTS_SECONDS;
+
+import com.google.common.collect.ImmutableMap;
+import com.google.common.util.concurrent.Uninterruptibles;
+import com.scalar.db.api.DistributedStorageAdminPermissionIntegrationTestBase;
+import com.scalar.db.util.AdminTestUtils;
+import com.scalar.db.util.PermissionTestUtils;
+import java.util.Map;
+import java.util.Properties;
+import java.util.concurrent.TimeUnit;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
+
+public class DynamoAdminPermissionIntegrationTest
+    extends DistributedStorageAdminPermissionIntegrationTestBase {
+  @Override
+  protected Properties getProperties(String testName) {
+    return DynamoEnv.getProperties(testName);
+  }
+
+  @Override
+  protected Properties getPropertiesForNormalUser(String testName) {
+    return DynamoEnv.getProperties(testName);
+  }
+
+  @Override
+  protected Map<String, String> getCreationOptions() {
+    return ImmutableMap.of(DynamoAdmin.NO_SCALING, "false", DynamoAdmin.NO_BACKUP, "false");
+  }
+
+  @Override
+  protected AdminTestUtils getAdminTestUtils(String testName) {
+    return new DynamoAdminTestUtils(getProperties(testName));
+  }
+
+  @Override
+  protected PermissionTestUtils getPermissionTestUtils(String testName) {
+    return new DynamoPermissionTestUtils(getProperties(testName));
+  }
+
+  @Override
+  protected void sleepBetweenTests() {
+    Uninterruptibles.sleepUninterruptibly(SLEEP_BETWEEN_TESTS_SECONDS, TimeUnit.SECONDS);
+  }
+
+  @Test
+  @Override
+  @Disabled("Import-related functionality is not supported in DynamoDB")
+  public void getImportTableMetadata_WithSufficientPermission_ShouldSucceed() {}
+
+  @Test
+  @Override
+  @Disabled("Import-related functionality is not supported in DynamoDB")
+  public void addRawColumnToTable_WithSufficientPermission_ShouldSucceed() {}
+
+  @Test
+  @Override
+  @Disabled("Import-related functionality is not supported in DynamoDB")
+  public void importTable_WithSufficientPermission_ShouldSucceed() {}
+}

core/src/integration-test/java/com/scalar/db/storage/dynamo/DynamoEnv.java

@@ -10,12 +10,14 @@ public final class DynamoEnv {
   private static final String PROP_DYNAMO_REGION = "scalardb.dynamo.region";
   private static final String PROP_DYNAMO_ACCESS_KEY_ID = "scalardb.dynamo.access_key_id";
   private static final String PROP_DYNAMO_SECRET_ACCESS_KEY = "scalardb.dynamo.secret_access_key";
+  private static final String PROP_DYNAMO_EMULATOR = "scalardb.dynamo.emulator";
   private static final String PROP_DYNAMO_CREATE_OPTIONS = "scalardb.dynamo.create_options";
 
   private static final String DEFAULT_DYNAMO_ENDPOINT_OVERRIDE = "http://localhost:8000";
   private static final String DEFAULT_DYNAMO_REGION = "us-west-2";
   private static final String DEFAULT_DYNAMO_ACCESS_KEY_ID = "fakeMyKeyId";
   private static final String DEFAULT_DYNAMO_SECRET_ACCESS_KEY = "fakeSecretAccessKey";
+  private static final String DEFAULT_DYNAMO_EMULATOR = "true";
 
   private static final ImmutableMap<String, String> DEFAULT_DYNAMO_CREATE_OPTIONS =
       ImmutableMap.of(DynamoAdmin.NO_SCALING, "true", DynamoAdmin.NO_BACKUP, "true");
@@ -30,9 +32,10 @@ public static Properties getProperties(String testName) {
         System.getProperty(PROP_DYNAMO_ACCESS_KEY_ID, DEFAULT_DYNAMO_ACCESS_KEY_ID);
     String secretAccessKey =
         System.getProperty(PROP_DYNAMO_SECRET_ACCESS_KEY, DEFAULT_DYNAMO_SECRET_ACCESS_KEY);
+    String isEmulator = System.getProperty(PROP_DYNAMO_EMULATOR, DEFAULT_DYNAMO_EMULATOR);
 
     Properties properties = new Properties();
-    if (endpointOverride != null) {
+    if (Boolean.parseBoolean(isEmulator) && endpointOverride != null) {
       properties.setProperty(DynamoConfig.ENDPOINT_OVERRIDE, endpointOverride);
     }
     properties.setProperty(DatabaseConfig.CONTACT_POINTS, region);

core/src/integration-test/java/com/scalar/db/storage/dynamo/DynamoPermissionIntegrationTest.java

@@ -0,0 +1,36 @@
+package com.scalar.db.storage.dynamo;
+
+import com.google.common.collect.ImmutableMap;
+import com.scalar.db.api.DistributedStoragePermissionIntegrationTestBase;
+import com.scalar.db.util.AdminTestUtils;
+import com.scalar.db.util.PermissionTestUtils;
+import java.util.Map;
+import java.util.Properties;
+
+public class DynamoPermissionIntegrationTest
+    extends DistributedStoragePermissionIntegrationTestBase {
+  @Override
+  protected Properties getProperties(String testName) {
+    return DynamoEnv.getProperties(testName);
+  }
+
+  @Override
+  protected Properties getPropertiesForNormalUser(String testName) {
+    return DynamoEnv.getProperties(testName);
+  }
+
+  @Override
+  protected Map<String, String> getCreationOptions() {
+    return ImmutableMap.of(DynamoAdmin.NO_SCALING, "false", DynamoAdmin.NO_BACKUP, "false");
+  }
+
+  @Override
+  protected PermissionTestUtils getPermissionTestUtils(String testName) {
+    return new DynamoPermissionTestUtils(getProperties(testName));
+  }
+
+  @Override
+  protected AdminTestUtils getAdminTestUtils(String testName) {
+    return new DynamoAdminTestUtils(getProperties(testName));
+  }
+}

core/src/integration-test/java/com/scalar/db/storage/dynamo/DynamoPermissionTestUtils.java

@@ -0,0 +1,146 @@
+package com.scalar.db.storage.dynamo;
+
+import com.scalar.db.config.DatabaseConfig;
+import com.scalar.db.util.PermissionTestUtils;
+import java.util.Optional;
+import java.util.Properties;
+import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
+import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
+import software.amazon.awssdk.policybuilder.iam.IamEffect;
+import software.amazon.awssdk.policybuilder.iam.IamPolicy;
+import software.amazon.awssdk.policybuilder.iam.IamResource;
+import software.amazon.awssdk.regions.Region;
+import software.amazon.awssdk.services.iam.IamClient;
+import software.amazon.awssdk.services.iam.model.AttachUserPolicyRequest;
+import software.amazon.awssdk.services.iam.model.AttachedPolicy;
+import software.amazon.awssdk.services.iam.model.CreatePolicyRequest;
+import software.amazon.awssdk.services.iam.model.CreatePolicyVersionRequest;
+import software.amazon.awssdk.services.iam.model.DeletePolicyVersionRequest;
+import software.amazon.awssdk.services.iam.model.ListAttachedUserPoliciesRequest;
+import software.amazon.awssdk.services.iam.model.ListPolicyVersionsRequest;
+import software.amazon.awssdk.services.iam.model.User;
+
+public class DynamoPermissionTestUtils implements PermissionTestUtils {
+  public static final int SLEEP_BETWEEN_TESTS_SECONDS = 10;
+  private static final String IAM_POLICY_NAME = "test-dynamodb-permissions";
+  private static final IamPolicy POLICY =
+      IamPolicy.builder()
+          .addStatement(
+              s ->
+                  s.effect(IamEffect.ALLOW)
+                      .addAction("dynamodb:ConditionCheckItem")
+                      .addAction("dynamodb:PutItem")
+                      .addAction("dynamodb:ListTables")
+                      .addAction("dynamodb:DeleteItem")
+                      .addAction("dynamodb:Scan")
+                      .addAction("dynamodb:Query")
+                      .addAction("dynamodb:UpdateItem")
+                      .addAction("dynamodb:DeleteTable")
+                      .addAction("dynamodb:UpdateContinuousBackups")
+                      .addAction("dynamodb:CreateTable")
+                      .addAction("dynamodb:DescribeTable")
+                      .addAction("dynamodb:GetItem")
+                      .addAction("dynamodb:DescribeContinuousBackups")
+                      .addAction("dynamodb:UpdateTable")
+                      .addAction("application-autoscaling:RegisterScalableTarget")
+                      .addAction("application-autoscaling:DeleteScalingPolicy")
+                      .addAction("application-autoscaling:PutScalingPolicy")
+                      .addAction("application-autoscaling:DeregisterScalableTarget")
+                      .addAction("application-autoscaling:TagResource")
+                      .addResource(IamResource.ALL))
+          .build();
+  private final IamClient client;
+
+  public DynamoPermissionTestUtils(Properties properties) {
+    DynamoConfig config = new DynamoConfig(new DatabaseConfig(properties));
+    this.client =
+        IamClient.builder()
+            .region(Region.of(config.getRegion()))
+            .credentialsProvider(
+                StaticCredentialsProvider.create(
+                    AwsBasicCredentials.create(
+                        config.getAccessKeyId(), config.getSecretAccessKey())))
+            .build();
+  }
+
+  @Override
+  public void createNormalUser(String userName, String password) {
+    // Do nothing for DynamoDB.
+  }
+
+  @Override
+  public void dropNormalUser(String userName) {
+    // Do nothing for DynamoDB.
+  }
+
+  @Override
+  public void grantRequiredPermission(String userName) {
+    try {
+      User user = client.getUser().user();
+      Optional<String> attachedPolicyArn = getAttachedPolicyArn(user.userName());
+      if (attachedPolicyArn.isPresent()) {
+        deleteStalePolicyVersions(attachedPolicyArn.get());
+        createNewPolicyVersion(attachedPolicyArn.get());
+      } else {
+        String policyArn = createNewPolicy();
+        client.attachUserPolicy(
+            AttachUserPolicyRequest.builder()
+                .userName(user.userName())
+                .policyArn(policyArn)
+                .build());
+      }
+    } catch (Exception e) {
+      throw new RuntimeException("Failed to grant required permissions", e);
+    }
+  }
+
+  @Override
+  public void close() {
+    client.close();
+  }
+
+  private Optional<String> getAttachedPolicyArn(String userName) {
+    AttachedPolicy attachedPolicy =
+        client
+            .listAttachedUserPolicies(
+                ListAttachedUserPoliciesRequest.builder().userName(userName).build())
+            .attachedPolicies().stream()
+            .filter(policy -> policy.policyName().equals(DynamoPermissionTestUtils.IAM_POLICY_NAME))
+            .findFirst()
+            .orElse(null);
+    return Optional.ofNullable(attachedPolicy).map(AttachedPolicy::policyArn);
+  }
+
+  private String createNewPolicy() {
+    return client
+        .createPolicy(
+            CreatePolicyRequest.builder()
+                .policyName(IAM_POLICY_NAME)
+                .policyDocument(POLICY.toJson())
+                .build())
+        .policy()
+        .arn();
+  }
+
+  private void deleteStalePolicyVersions(String policyArn) {
+    client.listPolicyVersions(ListPolicyVersionsRequest.builder().policyArn(policyArn).build())
+        .versions().stream()
+        .filter(version -> !version.isDefaultVersion())
+        .forEach(
+            version ->
+                client.deletePolicyVersion(
+                    DeletePolicyVersionRequest.builder()
+                        .policyArn(policyArn)
+                        .versionId(version.versionId())
+                        .build()));
+  }
+
+  private void createNewPolicyVersion(String policyArn) {
+    client.createPolicyVersion(
+        CreatePolicyVersionRequest.builder()
+            .policyArn(policyArn)
+            .policyDocument(POLICY.toJson())
+            .setAsDefault(true)
+            .build());
+  }
+}